A critical vulnerability in the AWS Console flagged by security researchers could have led to a massive supply chain attack, according to a report released Thursday by Wiz.
The vulnerability, dubbed CodeBreach, could have allowed an attacker to take over core AWS GitHub repositories — specifically the AWS JavaScript SDK — which power the AWS Console and is installed in about two-thirds of cloud environments, according to Wiz.
Wiz researchers disclosed the flaw to AWS in August 2025, and the company immediately worked to remediate the issue. Specific hardening measures were taken to prevent such an attack, including the implementation of a Pull Request Comment Approval build gate, which provides organizations a secure way to prevent untrusted builds, according to Wiz.
The issue related to a subtle flaw in how the repositories’ AWS CodeBuild CI pipelines handled build triggers, according to Yuval Avrahami, vulnerability researcher at Wiz. Just two missing characters in a Regex filter could allow an unauthenticated attacker to compromise the build environment and then hijack the code repositories.
“Once in control of the repositories, attackers could have injected backdoors into the SDK to harvest credentials and exfiltrate sensitive data from the millions of applications using it, or target the AWS Console itself to manipulate cloud infrastructure,” Avrahami told Cybersecurity Dive via email. “It could have potentially escalated into a platform-wide compromise that affected AWS users worldwide.”
AWS confirmed that it took immediate steps to address the issue after Wiz researchers disclosed the misconfiguration in August 2025.
“AWS immediately investigated Wiz’s research and found that there was no impact on the confidentiality or integrity of any customer environment or AWS service. To mitigate any potential future threats related to the findings, we implemented additional remediations including credential rotations and audits of other AWS-managed open source repositories.
AWS issued a security bulletin outlining a number of steps it took related to the potential risk.
Researchers examined this particular issue after an attempted supply chain attack on the Amazon Q VS Code extension. That issue was addressed in a July 2025 advisory. There is no evidence the current misconfiguration has been used in an attack.
Wiz researchers said the vulnerability poses a similar risk to the Nx S1ngularity supply chain attacks that took place in August 2025. That attack involved malicious versions of the Nx build system package being published.
Security analysts said the discovery reveals a dangerous new dimension to potential supply chain risk.
“Coupled with the Amazon Q incident, where a flawed webhook allowed unauthorized code injection into an AWS-released VS Code extension, these defects expose how overlooked pipeline logic can create massive risks, bypassing traditional defenses like credential security or malware detection,” Janet Worthington, senior analyst security and risk at Forrester told Cybersecurity Dive.
Users do not need to take any immediate action, but Wiz researchers suggest users create a unique personal access token for each CodeBuild project. Users should also enable the above mentioned Pull Request Comment Approval build gate.
Editor’s note: Updates with comment from AWS, Forrester.
